FAQ

Clavister EasyAccess

EasyAccess Virtual Appliance – Install Guide (PhenixID)

Requirements:

  • PhenixID VA install media (ISO file)
  • Create Account for OneTouch
    • https://support.phenixid.se/customer/authenticate/registration
  • Virtual Hardware (minimum)
    • CPU: 2
    • RAM: 3GB
    • Storage: 12GB
  • Network information
    • IP
    • Network
    • Gateway
    • DNS
  • Network Outbound – for registration
    • UDP/53
    • TCP/22
    • TCP/443

Install system:

  1. Create new virtual machine – install the ISO-file following the on-screen instructions.
  2. Registrate PhenixID with your OneTouch account
    1. Default username: phenixid
    2. Default password: password
  3. Activate network setting via: # menu
  4. Activate PhenixID Authentication Service via: # menu
  5. Open PhenixID config at: https://<ip-address>:8443/config

Install VMware-tools (https://software.opensuse.org/download.html?project=Virtualization%3AVMware&package=open-vm-tools)

  1. Verify system OS via: # cat /etc/os-release (OpenSUSE 15.1)
  2. Add repository: # sudo zypper addrepo https://download.opensuse.org/repositories/Virtualization:VMware/openSUSE_Leap_15.1/Virtualization:VMware.repo
  3. Refresh repo: # sudo zypper refresh
  4. Intall VMware tools: # sudo zypper install open-vm-tools
  5. Start service: # sudo service vmtoolsd start (stop – status)

Upgrade PhenixID virtual server to EasyAccess

  1. Create snapshot of VM – as safety measure
  2. Download the Linux package for EasyAccess from https://my.clavister.com
  3. Upload Linux package to VM
  4. Run the installer:  # sh easy_server_linux_x64_3_0_0.sh
  5. Reboot the server

Now the system is an EasyAccess server. However as the VM image itself is still presenting itself as PhenixID. Change the /etc/issue.

Setup password+token one field verification

Assuming the EasyAccess server has been deployed properly, it is time to setup a authentication valve.

With this config you can add EasyAccess to most standard RADIUS portals, you will have to login using something like this:
Username: secure-online
Password: VerySectet!!654321   (last 6 digits is the generated OTP)

Adding a RADIUS Scenario is pretty straight forward. Go to: “Scenarios -> RADIUS -> Username and Password” And add a new one by clicking on the + sign. Give it a name, user database, user search base and specify a RADIUS connection.

When added the execution flow looks like this:

In order to use both the password and the OTP from the password field we need to take them apart. Let’s add two additional Valve’s:

  1. PropertySplitByIndexValve
  2. TokenValidationValve

The cofiguration for these two valves is as follows:

PropertySplitByIndexValve
Source: {{request.User-Password}}
Destination Attribute One: password
Destination Attribute Two: otp
Position: -6   (If you use a different amout of digits in the OTP use this!)
Destination Item: data_item

TokenValidationValve
Username Parameter: User-Name
Provided OTP Parameter: {{attributes.otp}}
HOTP Lookahead Value: 20
TOTP Max Drift Count: 10

Next, we need to update the LDAPBindValve to use the new password attribute:

LDAPBindValve
Connection: <current connection>
Password: {{attributes.password}}

As final task, we need to move the new valve’s to the right position. When done, it should look like this:

Clavister NetWall

NetWall Roaming VPN

De configuratie bestaat uit drie onderdelen:

  1. Aanmaken certificaten
  2. Configureren van de Clavister
  3. Configureren van de diverse clients

Aanmaken certificaten

  1. Maak certificaat aan voor de VPN verbinding. Voorbeeld: remote.secure-online.nl. De volgende zijn nodig:
    1. CA cert (self-signed of commercieel)
    2. Certificaat voor gateway (remote.secure-online.nl)
    3. Private key voor gateway certificaat

Configureren Clavister

  1. Upload de certificaten naar de Clavister: Objects -> General -> Key Ring -> Add/Certificate
  2. Upload CA cert en disable CRL checks (ook wel CA bundel)
  3. Upload gateway certificaat + private key en disable CRL checks
  4. Maak IP Pool aan voor Roaming VPN clients: Objects -> General -> Address Book -> Add/IP4 Address
    • Naam: Roaming_pool
    • Address: x.x.x.100–x.x.x.150
  5. Configureer een “user database” – Local of RADIUS
    • Local: System -> Users -> Local User Database
    • RADIUS: Policies -> User Authentication -> User Directories -> RADIUS
  6. Configureer VPN interface: Network -> Interfaces and VPN -> IPsec -> Add/Roaming VPN (Simplified)
  7. Configureer het VPN interface
  8. Configureer Firewall regels voor juiste toegangen.

Configureer clients

Windows

  1. Importeer het CA certificaat in de “Vertrouwde basiscertificaten” (Trusted root certificates)
  2. Maak een nieuwe VPN connectie aan “Configuratie scherm -> Netwerkcentrum -> Een nieuwe verbinding…”
  3. Verbind naar de DNS naam die eerder in het gateway certificaat is gebruikt.
  4. Na aanmaken moet er een instelling worden veranderd in de configuratie. Ga hiervoor naar “Adapter instellingen wijzigen”
  5. Kies type “IKEv2” en versleuteling “Versleuteling met maximale sterkte”

MacOS / iOS

  1. Importeer het CA certificaat in de “keychain”.
  2. Maak een vpn connectie aan via “Settings -> Network”
    • Server Address: DNS als in gateway certificaat
    • Remote ID: DNS als in gateway certificaat (BELANGRIJK)
    • Authentication Settings -> Username (vul de credentials in.)

Android

De native VPN-client van android beschikt niet over IKEv2, hiervoor dient een app te worden gebruikt: StronSwan

  1. Importeer het CA certificaat in StronSwan: Menu -> CA Certificates -> Import certificate
  2. “Add VPN profile”
    1. Server: DNS als in gateway certificaat
    2. VPN Type: IKEv2 EAP (Username/Password)
    3. Credentials

Deploy Clavister NetWall virtual on Proxmox VE

Software used:

  • Proxmox VE 6.1-5
  • Clavister NetWall 13.00

Start by downloading the KVM install package from my.clavister.com and upload this to the PVE storage.

Next is all done via CLI as root. Make sure to get an available VM ID.

  1. # qm create <VMID> –bootdisk scsi0
  2. # qm importdisk <VMID> /var/lib/vz/template/iso/cos-core-13.00.00.23-kvm-en.img local-lvm
  3. # qm set <VMID> –scsi0 local-lvm:vm-<VMID>-disk-0

Now you can add the network adapters and set CPU / RAM in the PVE GUI. After this you should be able to start the virtual NetWall. Use correct bridge and VirtOI as device.

If the interfaces are not shown after starting up CosCore, you can use the following to make them available.

# pciscan -ethernet
# pciscan -cfupdate

When they are installed, you can start assigning IP addresses using the CLI:

# set Address IP4Address if1_ip Address=x.x.x.x
# set Address IP4Address if1_net Address=x.x.x.x/xx
# activate
# commit

When the IP has been set, you can go to the GUI and start configuring there.

Configure Clavister NetWall with 3CX PBX

Software Used:

  • Clavister NetWall 13.00.02
  • 3CX PBX V16

This FAQ describes the configuration of a Clavister NetWall for use with the 3CX Phone System.

Step 1: Confgure port-forwarding

Login to the webinterface of the Clavister NetWall.

  1. Go to “Objects -> Address Book” and click “Add -> IP4 Address“.
    Name: PBX_3CX
    IP: Address of the 3CX PBX
  2. Go to “Objects -> Services” and click “Add -> TCP/UDP Service“. See: https://www.3cx.com/docs/ports/ for actual port information
  3. Add service group for Sip_* service objects.
  4. Go to “Policies -> Main IP Ruleset” and click “Add -> IP Policy“.
    Name: Publish_3CX
    Action: Allow
    Source if: WAN
    Source IP: all-nets
    Destination if: core
    Destination IP: WAN_ip
    Service: Sip_grp
    Source Address Translation: None
    Destination Address Translation: SAT
    Address Action: Single IP
    New IP Address: PBX_3CX
    Port Action: None
  5. Go to “Policies -> Main IP Ruleset” and click “Add -> IP Policy“.
    Name: Outbound_3CX
    Action: Allow
    Source if: LAN
    Source IP: PBX_3CX
    Destination if: WAN
    Destination IP: all-nets
    Service: all_tcpudpicmp
    Source Address Translation: SAT
    Address Action: Single IP
    New IP Address: WAN_ip
    Port Action: None
    Destination Address Translation: None

Step 2: Validating your setup

Log into your 3CX Management Console and go to “Dashboard” > “Firewall” to run the 3CX Firewall Checker to validate if your firewall is correctly configured for use with 3CX.
More information about the Firewall Checker can be found here.

DHCP Option 43 for Ubiquiti AP’s

Configuring your Ubiquiti access point to connect to a remote UniFi Controller (not on the same subnet) is easy to do using the DHCP option 43 – Vendor Specific Information. All we need is the IP address of the server converted to a HEX string: https://www.browserling.com/tools/ip-to-hex

  1. Go to Network -> Network Services -> DHCP Servers and open the one which will hand out information to the Ubiquiti device.
  2. Next, add a new Custom Object:
    1. Code: 43
    2. Type: BINARY
    3. Parameter: 0104<HEX IP Address>   (Replaced 0x with: 0104)
  3. Safe and activate the config.

Clavister InCenter

Deploy Clavister InCenter on Proxmox VE

Software used:

  • Proxmox 6.1-8
  • Clavister InCenter 1.64.01

Start by downloading the Clavister InCenter QCOW2 image and upload this to the PVE storage.

The setup procedure is quite straight forward.

  1. Create a new VM via the GUI.
  2. Via CLI move the qcow2 image in the right place:
    # cp /var/lib/vz/template/qemu/clavister-incenter-1-64-01-2-on-premise-qemu.qcow2 /var/lib/vz/images/104/vm-104-disk-0.qcow2
  3. Now you can start the VM